The discovery of Stuxnet in the wild was a watershed moment, signalling the first known salvo sent across the wires of the Internet to strike at an enemy far away. The fact that a piece of software could wreak such destruction in the real world was what drew most people’s interest however the way in which it achieved this was, in my opinion, far more interesting than the results it caused. Stuxnet showed that nation state sponsored malware was capable of things far beyond that of what we’ve attributed to malicious hackers in the past and made us wonder what they were really capable of. Thanks to Kaspersky Labs we now have a really good (read: scary) idea of what a nation state could develop and it’s beyond what many of us thought would be possible.
The Equation Group has been identified as being linked to several different pieces of malware that have surfaced in various countries around the world. They’ve been in operation for over a decade and have continuously improved their toolset over that time. Interestingly this group appears to have ties to the development teams behind both Stuxnet and Regin as some of the exploits found in early versions of Equation Group’s tools were also found in those pieces of malware. However those zero day exploits were really just the tip of the spear in Equation Groups arsenal as what Kaspersky Labs has discovered is far beyond anything else we’ve ever seen.
Perhaps the most fascinating piece of software that the group has developed is the ability to write disk firmware which allows them persist their malware through reboots, operating system reinstalls and even low level formats. If that wasn’t nasty enough there’s actually no way (currently) to detect an infection of that nature as few hard drives include the capability to read the firmware once its been written. That means once the firmware has wormed its way into your system there’s very little you could do to detect and remove it, save buying a whole new PC from a random vendor and keeping it isolated from every other device.
This then feeds into their other tools which give them unprecedented control over every facet of a Windows operating system. GrayFish, as it has been dubbed, completely replaces the bootloader and from there completely controls how Windows loads and operates. Essentially once a system is under GrayFish control it no longer uses any of its core boot process which are replaced by GrayFish’s toolkit. This allows Equation Group to be able to inject malware into almost every aspect of the system, preventing detection and giving them complete control to load any of their other malware modules. This shows a level of understanding of the operating system that would rival top Microsoft technicians, even those who have direct access to the source code. Although to be honest I wouldn’t be surprised if they had access to the source code themselves given the level of sophistication here.
These things barely begin to describe the capabilities that the Equation Group has developed over the past couple years as their level of knowledge, sophistication and penetration into world networks is well above anything the general public has known about before. It would be terrifying if it wasn’t so interesting as it shows just what can be accomplished when you’ve got the backing of an entire nation behind you. I’m guessing that it won’t be long before we uncover more of what the Equation Group is capable of and, suffice to say, whatever they come up with next will once again set the standard for what malware can be capable of.
It’s really hard to have anything but admiration for Stuxnet. It was the first piece of software that could be clearly defined as a weapon, one with a very specific purpose in mind that used all manner of tricks to accomplish its task. Since its discovery there hasn’t been another piece of software that’s come close to it in terms of capability although there’s always rumours and speculation of what might be coming next. Regin, discovered by Symantec, has been infecting computers since at least 2008 and is the next candidate for the cyber-weapon title and whilst its mode of operation is more clandestine (and thus, a little more boring) it’s more what it’s not that interests me most.
Unlike Stuxnet, and most other malware you’ll encounter these days, Regin is designed to infect a single target with no further mechanism to spread itself. This is interesting because most run of the mill malware wants to get itself onto as many machines as possible, furthering the chances that it’d pick up something of value. Malware of this nature, one that we haven’t identified a specific infection vector for, means that it’s purpose is far more targeted and was likely developed with specific targets in mind. Indeed the architecture of the software, which is highly modular in nature, indicates that Regin is deployed against a very specific subset of targets rather than allowing it to roam free and find targets of interest.
Regin has the ability to load up various different modules depending on what its command and control servers tell it to do. The functions range from interchangeable communication methods (one of which includes the incredibly insidious idea of encoding data within ping packets) to modules designed to target specific pieces of software. It’s quite possible that the list Symantec has created isn’t exhaustive either as Regin attempts to leave very little data at rest. Indeed Symantec hasn’t been able to recover any of the data captured by this particular bit of malware, indicating that captured data is likely not stored for long, if at all.
Due to its non-worm nature the range of targets that Regin has infected gives a pretty good indication as to what it’s intended purpose is. The two largest groups of targets were individuals or telecommunications backbones, indicating that its purpose is likely information gathering on a large scale. The location of of infections indicates that this piece of software was likely western in origin as the primary targets were Russia and Saudi Arabia with very few targets within western countries. It’s unlikely that this tool was developed for a specific operation due to its modular nature however, so I don’t believe there’s any relationship between different infections apart from them using the same framework.
Just like Stuxnet I’m sure we won’t know the full story of Regin for some time to come as software of this nature is incredibly adept at hiding its true purpose. Whilst its capabilities appear to be rather run of the mill the way in which it achieves this is very impressive. More interesting though is it’s non-worm nature which, whilst it may have prevented its detection for some time, hints heavily to its true purpose and origin. I’m really looking forward to further analysis of this particular piece of software as it gives us a rare insight into the world of clandestine cyber warfare operations.
While I might enjoy a good old fashion Apple bashing more than I should I’m still pretty heavily invested in their platform, with me counting an iPhone and MacBook Pro amongst my computing arsenal. Still anyone who’s been reading this blog long enough will know that I’m no fan of the hype that surrounds their products nor the hoard of apologists who try to rework any product fault or missing feature as a symbol of Apple’s “vision” when realistically Apple should cop some flak for it. Today I want to tackle one of the longest standing Apple myths that has still managed to perpetrate itself even in light of the overwhelming evidence to the contrary.
I am talking about, as the title implies, Mac’s apparent immunity to malicious code.
Wind back the clock a few decades and we find ourselves in the dawn of the consumer PC age and with it the initial success of the Apple II series of microcomputers. Back then the notion of a computer virus was almost purely academic with all working viruses never leaving the confines of the places that they were created in. Rich Skrenta, a then 15 year old computer whiz, took it upon himself to code up what would become the very first virus to make it into the wild, he called it Elk Cloner. This particular virus would attach itself to the Apple DOS running on the Apple II and on every 50th boot would display a lovely little poem to the user. Whilst it didn’t cause any actual harm (apart from annoyance) it was able to spread to other floppy disks and was the first virus to overwrite the boot sector so that it would be loaded each time.
That’s right, the first ever in the wild virus was indeed Mac only.
Still there’s a little kernel of truth in the saying that Macs are resistant to malicious code. Whilst most viruses in the past were done to inflict chaos and harm upon their users the last decade saw virus writers make the switch to the more profitable adventures of stealing credit card information, mining data or turning your PC into a zombie to be used for nefarious purposes. Mac’s immunity then came from obscurity as there’s little reason to go to all that effort to only target a small percentage of the worldwide PC user base and so the most favored platform became the most targeted, leaving the Macs relatively untouched.
Still even a small percentage of billions still adds up to multiple millions of people and so some virus writers started to turn their sites towards the Mac platform. Reports started surfacing over the rumors that were circulating and it became official, Macs were now a target. Apologists shot of volleys left and right saying that these were just in a minority and were even doing so right up to the end of last year, stating that the Mac’s immunity remains intact. Today brings news however that not only have Macs made the mainstream for normal users, they’re now mainstream for virus creators:
The kit is being compared to the Zeus kit, which has been one of the more popular and pervasive crimeware kits for several years now. A report by CSIS, a Danish security firm, said that the OS X kit uses a template that’s quite similar to the Zeus construction and has the ability to steal forms from Firefox.
“The Danish IT-security company CSIS Security Group has just yesterday observed a new advanced Form grabber designed for the Mac OS X operating system being advertised on several closed underground forums. In the same way as several other DIY crimeware kits designed for PCs, this tool consists of a builder, an admin panel and supports encryption,” Peter Kruse of CSIS said in a blog post.
Indeed they are now also the targets of scareware campaigns that masquerade themselves as actual virus scanners and with the prevalence of web based malware on the increase the Mac platform only provides immunity against the garden variety botnet software, not the fun stuff like man-in-the-middle attacks or cross site scripting vulnerabilities. Truly if you believe yourself immune to all the threats that the Internet poses simply because you chose the “better” platform you’re simply making yourself far more vulnerable to the inevitable, especially for things like social engineering.
I’m not sure why people continue to perpetuate the myth that Macs are completely immune to the threats of the Internet. It seems to stem from the deep rooted belief that Macs are the better platform (whether they are or not is left up to the reader) and quelling the rumors that Macs can be compromised would seem to strengthen it, somehow. Instead Mac users would be far better served by acknowledging the threats and then building countermeasures to stop them, just like the Windows platform has done before them. It’s not a bad thing, any platform that holds some kind of value will eventually become the target of nefarious forces, and the sooner Mac apologists wake up and admit that they’re not the shining beacons of security they think they are the better the worldwide computing system will be better for it.